When it comes to cyber-threats and defense, the U.S. government says that critical infrastructure threats are a growing concern.
Rob Joyce, senior advisor of cybersecurity strategy for the National Security Agency (NSA), said that while attacks targeting the systems that power the manufacturing, power and water plants, the oil and gas industry, and many other sectors have been around for awhile, the trend “is going the wrong way.”
“We have to get critical infrastructure secured, and that goes across multiple sectors, including financial, health and transportation,” he said Tuesday, speaking at the WSJ Cyber Security Forum in NYC. “It’s becoming more and more important to do that right as we enter the era of the internet of things (IoT) and more tech is connected. We see botnets formed up of compromised equipment at scale and turned against targets, which are usually critical infrastructure.”
Attackers have been targeting critical infrastructure for awhile: including the 2016 Ukrainian outage and going all the way back to the 2013 Iranian DDoS attacks and the emergence of sabotage-bent malware like Stuxnet and Shamoon.
But the problem isn’t going away: according to a Kaspersky Lab report earlier this year, a full 41.2 percent of industrial control system (ICS) were attacked by malicious software at least once in the first half of 2018.
Just this week, researchers have detected a widespread reconnaissance campaign targeting global defense and critical infrastructure players — including nuclear, defense, energy and financial companies.
The campaign, dubbed Operation Sharpshooter, began Oct. 25 when a splay of malicious documents were sent via Dropbox. The campaign’s implant has since appeared in 87 organizations worldwide, predominantly in the U.S. and in English-speaking companies.
Paul Abbate, associate deputy director of the FBI, urged critical infrastructure companies large and small to reach out if they were victim to any sort of cyberattack.
“Cyber-threats are becoming increasingly more complex and expanding rapidly,” said Abbate. “We’re maturing in our overall strategy across law enforcement and the private sector – we’re seeking to go 100 percent like we do with terrorism.”
Critical infrastructure threats are seemingly only getting worse: Kaspersky Lab researchers who analyzed telemetry information from customers said they saw a consistent rise in the percentage of attacks in critical infrastructure. The year-ago data showed the percentage of ICS computers attacked to be 36.61 percent; that then ticked upward to 37.75 percent in the second half of 2017.
The biggest challenge when it comes to securing critical infrastructure and other potential attack targets is “getting people to do the basics,” said Joyce.
That includes getting boards and CEOs to invest in security and designing products with security at top-of-mind.
“We’ve got a lot of room to improve – and it starts with protecting with good passwords and patching,” he said. “We have to understand that we’ve put a lot of things into tech, and I don’t know if we’ve done all we need to do to protect that tech.”